Skip to content

mtomasek780/BIND9_DNS_Over_TLS

master
Switch branches/tags
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
Here's what you need to modify on your working BIND9 install and assumes you have installed stunnel to your Linux distro already:

- Inside of your options file, for me that was /etc/named.conf, alter your forwarder to forward to your new stunnel setup that will listen on port 1053.  Make sure stunnel only listens on 127.0.0.1 since it will run as root.  You want to forward all requests that you don't host internally and that's why "forward only" is used after the forwarders definition.

- The "server" section is added outside of the options section to instruct BIND9 to push the packets over tcp and not udp to stunnel.

# /etc/named.conf

options {
                    ..
                    
                    forwarders {
                                127.0.0.1 port 1053;
                    };
                    forward only;
                    
                    
                    ..
                    
};

server 127.0.0.1 {
        tcp-only yes;
};


After you save that change to your BIND9 config, the next step is to create a stunnel config file... I put mine in /etc/stunnel/ and you can find that file in the GitHub repository as tls_dnf.conf, but let's break it down:

- First, I don't allow sslv3, tls1, or tls1.1 because Quad9 won't reply.  I must force stunnel to use tls1.2 or it will ignore my options and still use tls1.0 even though the options say not to.

- Second, I tell stunnel to use the client setting to listen for requests that will come from BIND9 that we previously setup to forward to stunnel

- Third, I listed on 127.0.0.1 for requests from BIND, I like running this on 127.0.0.1 since the stunnel service will run as root, so why expose a root level service to the network?

- Finally, I tell it to connect to dns.quad9.net and use port 853



The next step is simple, I go into my /etc/resolv.conf file and remove all DNS resolvers except for 127.0.0.1 so I don't use port 53 anymore. 



Finally, I setup a crontab for root:

@reboot /usr/bin/stunnel /etc/stunnel/tls_dns.conf

Now, if my server reboots and when BIND9 comes up, I will have stunnel waiting for requests and ready to go.  For extra efficency, I setup a firewall rule to forbid traffic on TCP/UDP 53 and now all my traffic flows out of TCP 853 which is DNS over TLS.


Enjoy!

About

No description, website, or topics provided.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published